[sssd]
services = nss, pam
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
{% set sssd_authentik_ldap_domains = [] %}
{% for sssd_domain_info in hostvars[inventory_hostname].sssd_info.domains %}
{%- set sssd_authentik_ldap_domains = sssd_authentik_ldap_domains.append(sssd_domain_info.name) -%}
{% endfor %}
domains = {{ sssd_authentik_ldap_domains | join(',') }}

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

{% for sssd_domain_info in hostvars[inventory_hostname].sssd_info.domains %}
[domain/{{ sssd_domain_info.name }}]
ldap_id_use_start_tls = False
cache_credentials = False
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = simple
ldap_uri = {{ sssd_main.app.authentik_ldap[sssd_domain_info.name | replace('.', '_') ].uri }}
ldap_tls_reqcert = never
fallback_homedir = /home/%u
default_shell = /bin/bash
ldap_schema = rfc2307bis
ldap_search_base = {{ sssd_main.app.authentik_ldap[sssd_domain_info.name | replace('.', '_') ].basedn }}
ldap_user_object_class = user
ldap_user_name = cn
ldap_user_fullname = displayName
ldap_access_order = filter
ldap_user_search_filter = (|{%- for sssd_user_info in sssd_domain_info.users %}(cn={{ sssd_user_info.name }}){%- endfor %})
ldap_default_bind_dn = {{ sssd_main.app.authentik_ldap[sssd_domain_info.name | replace('.', '_') ].binddn }}
ldap_default_authtok_type = obfuscated_password
ldap_auth_disable_tls_never_use_in_production = true
{% if not loop.last %}{{ '\n' }}{% endif %}
{% endfor %}